Pierluigi Paganini
October 28, 2023
The Pwn2Own Toronto 2023 hacking competition is over, the organizers awarded $1,038,250 for 58 unique 0-days. The Team Viettel (@vcslab) won the Master of Pwn with $180K and 30 points.
The vulnerabilities exploited by the experts have been disclosed to the vendors, the ZDI gives them 90 days to address these flaws.
That's a wrap on #Pwn2Own Toronto 2023! We awarded $1,038,250 for 58 unique 0-days during the event. Congratulations to Team Viettel (@vcslab) for winning Master of Pwn with $180K and 30 points. We'll see you at Pwn2Own Automotive in Tokyo next January. pic.twitter.com/CPKPTyMeIv
— Zero Day Initiative (@thezdi) October 27, 2023
The Viettel team received the greatest rewards of the last day, the researchers executed a heap-based buffer overflow and a stack-based buffer overflow against the TP-Link Omada Gigabit Router and the Canon imageCLASS MF753Cdw for the SOHO Smashup. The team earned $50,000 and 10 Master of Pwn points.
The researchers from Claroty executed a 4-bug chain against the TP-Link Omada Gigabit Router and Synology BC500 for the SOHO Smashup. However, one of the vulnerabilities they exploited was previously known (BUG Collision), for this reason, they earned $40,750 and 8.25 Master of Pwn points.
The STEALIEN group executed a stack-based buffer overflow attack against the Wyze Cam v3 resulting in a root shell. They earned $15,000 and 3 Master of Pwn Points.
The Team Viettel also earned $10,000 and 2 Master of Pwn points to execute a stack-based buffer overflow attack leading to RCE against the Lexmark CX331adwe.
Rafal Goryl demonstrated a 2-bug chain to hack the Wyze Cam v3 and gain a root shell. He earned $15,000 and 3 Master of Pwn Points.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Pwn2Own Toronto 2023)
